January 28, 2022, Let's Encrypt will revoke SSL/TLS certificates issued in the past 90 days due to the vulnerability. Let's Encrypt, a non-profit certificate authority run by the Internet Security Research Group (ISRG), provides free SSL/TLS certificates for Transport Layer Security encryption.
According to BleepingComputer, as of November 2021, the number of Let's Encrypt certificates that have been activated exceeds 221 million. The vulnerability could affect millions of already activated certificates.
On January 25, 2022, Let's Encrypt/ISRG was notified by a third party that, while examining Let's Encrypt's Boulder codebase, there were "two inconsistencies" in the "TLS with ALPN" verification method implemented by the Certificate Authority. OK", so the Certificate Authority must make two changes to its TLS-ALPN-01 validation method.
In order to comply with the "Let's Encrypt Certificate Policy" (which requires that Certificate Authorities, under certain conditions, must revoke affected certificates as soon as possible), therefore, the organization will Start revoking certificates.
It's important to note that not all Let's Encrypt certificates are affected, and this plan to revoke certificates only applies to certificates issued by the flawed TLS-ALPN-01 verification method.
According to the engineer's response, it is estimated that (less than) 1% of valid certificates are affected, and users will be notified by email if their ACME account contains a valid email address. Although Let's Encrypt has issued a remedy, some users still express dissatisfaction.